Jump to content

Shoulder surfing (computer security)

From Wikipedia, the free encyclopedia

This is an old revision of this page, as edited by Edward (talk | contribs) at 00:47, 18 November 2010 (link closed-circuit television camera using Find link). The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.

In computer security, shoulder surfing refers to using direct observation techniques, such as looking over someone's shoulder, to get information.[1] Shoulder surfing is particularly effective in crowded places because it is relatively easy to observe someone as they:

  • fill out a form
  • enter their PIN at an automated teller machine or a POS terminal
  • use a calling card at a public pay phone
  • enter passwords at a cybercafe, public and university libraries, or airport kiosks.
  • enter a code for a rented locker in a public place such as a swimming pool or airport.

Shoulder surfing can also be done at a distance using binoculars or other vision-enhancing devices. Inexpensive, miniature closed-circuit television cameras can be concealed in ceilings, walls or fixtures to observe data entry. To prevent shoulder surfing, it is advised to shield paperwork or the keypad from view by using one's body or cupping one's hand.

Recent automated teller machines now have a sophisticated display which discourages shoulder surfers from obtaining displayed information. It grows darker beyond a certain viewing angle, and the only way to tell what is displayed on the screen is to stand directly in front of it. Although this prevents an observer obtaining some information, eg account balance, it does not protect the PIN, because the PIN is typically not displayed during entry.

Certain models of credit card readers have the keypad recessed, and employ a rubber shield that surrounds a significant part of the opening towards the keypad. This makes shoulder-surfing significantly harder, as seeing the keypad is limited to a much more direct angle than previous models. ISO 9564, the international standard for PIN management, mandates such measures thus:[2]

The PIN entry device shall be designed or installed so that the customer can prevent others from observing the PIN value as it is being entered.

Also some keypads alter the physical location of the keys after each keypress. For example the digit 1 may be the upper left on the first press, then moves to the bottom right for the second. Also, security cameras are not allowed to be placed directly above an ATM.

POS terminals often available in shops, supermarkets, and fuel outlets are more difficult to use in a way that prevents shoulder surfing as they are often located in exposed view on counters. It is good practice to shield the keypad with one hand while entering digits with your other hand.

References

  1. ^ Shorter Oxford English Dictionary (6th ed.), Oxford University Press, 2007, ISBN 978-0-19-920687-2
  2. ^ ISO 9564-1:2002 Banking — Personal Identification Number (PIN) management and security — Part 1: Basic principles and requirements for online PIN handling in ATM and POS systems, clause 5.4 Packaging considerations
Retrieved from "https://en.wikipedia.org/enwiki/w/index.php?title=Shoulder_surfing_(computer_security)&oldid=397411564"